Meta

In the last post, I discussed the “generic” tools and techniques used in this planning process. By “generic” I mean the tools and techniques that are used not just in this planning process, but in many project management planning processes in general, such as expert judgment, data gathering (interview techniques), interpersonal and team skills (facilitation techniques), and decision-making techniques.

In this post I will discuss those tools and techniques used specifically for this process.

There are strategies for threats, that is negative risks, and there are strategies for opportunities, that is positive risks. Remember that PMI considers “risks” in a wider context than normally used in everyday life. Risk is an event or condition that can occur that has a positive or negative impact on the outcome of a project. You obviously want positive risks to occur, and so the strategy for dealing with them is how to exploit them when they do occur, and how to enhance the probability of their occurring. On the other hand, you do not want negative risks to occur, so the strategy for dealing with them is the mirror opposite of what you do with positive risks: you try to avoid them to prevent them from occurring altogether, or how to mitigate the probability of their occurring.

There is also the concept of sharing a positive risk with another company, or transferring a portion of a negative risk to another company (like when you buy insurance) And you can always accept a positive or negative risk that has little probability of occurring. To these four basic strategies for dealing with risk that were previously discussed in the 5th Edition of the PMBOK® Guide, there is a fifth basic strategy added for the 6th Edition of the Guide, and that is the strategy of escalating a risk. This means that there is a risk threshold which is set at the beginning of the project. If a risk response occurs which requires the expenditure of over a set amount of money, the risk threshold, then the project sponsor needs to get involved to get approval of this from management.

This is similar to what happens in many projects with regards to change management. The project manager has authority to implement changes that go up to a certain threshold in terms of expenditure, but anything over that amount may require approval from the project sponsor.

With that brief introduction, let’s go into more detail regarding the tools and techniques for this process. (The numbering of the tools and techniques does not start with 11.5.2.1 because the missing numbers are those tools and techniques which were discussed in the last post as “generic”.)

11.5.2.4 Strategies for Threats (Negative Risks)

Escalate–if a threat is outside the scope of a project or if the proposed risk response would exceed the project manager’s authority. Escalated risks are dealt with at the program or portfolio level of the organization’s project management structure (whether there is a PMO or not), and are not dealt with further by the project team after escalation, although they may be recorded in the risk register for information purposes.

Avoid–This strategy is appropriate for high-probability, high-impact risks. It may involve the following in order to reduce the probability of occurrence to zero:

Transfer–This strategy is appropriate for low-probability, high-impact risks. For example, the probability that you will be in a auto accident is low, but the impact could be high (no pun intended), so that is why you must by auto insurance. Transfer may be achieve by the following means:

use of insurance (payment of a risk premium to the party taking on the threat)

performance bonds

warranties, guarantees

agreements to transfer ownership and liability for specific risks to another party

An example of the last bullet point is when I was working for an automobile manufacturing company. The air bag module is an especially dangerous component to manufacture because it involves an explosive device (which causes the airbag to inflate in such a short period of time). Our company did not have the expertise to manufacture this component, but another company did and we had them manufacture the air bag module for us to put into our cars. However, if there was an accident where there was an injury caused by a defective air bag module, then there was an agreement that this company would pay for the cost of the claim or lawsuit if it came to that. This is a perfect example of a “transfer” strategy when it comes to risk.

Mitigate–This strategy is appropriate for high-probability, low-impact risks or if the impact is not high, but moderate. This reduces the probability of the risk occurring or the impact if it does occur. You mitigate the risk of it raining by taking along an umbrella. It won’t do much for the probability of it raining, but it will reduce the impact on your clothes. Here are some actions that use the mitigation strategy:

Prototype development (reduces probability of risk occurring)

Designing redundancy into a system (reduces impact if risk occurs)

Accept–This strategy is appropriate for low-probability, low-impact risks. This is where there is no proactive action taken. It may be appropriate for low-priority threats, or where a risk response is not cost-effective (i.e., it costs more to implement a risk response than the impact of the risk if it occurs). Some typical acceptance strategies are:

Establishing a contingency reserve to handle the threat if it does occur

Putting risk on a “watch list” for monitoring periodically

11.5.2.5 Strategies for Opportunities (Positive Risks)

Remember that these strategies are the mirror opposite of strategies to deal with threats or negative risks.

Escalate–if an opportunity is outside the scope of a project or the opportunity would exceed the project manager’s authority. Escalated opportuities are dealt with at the program or portfolio level of the organization’s project management structure (whether there is a PMO or not), and are not dealt with further by the project team after escalation, although they may be recorded in the risk register for information purposes.

Exploit–This is a strategy for dealing with high-priority opportunities where the organization wants to ensure (i.e., make the probability 100%) that the opportunity is realized. Examples of this strategy are:

Assigning an organization’s most talented resources to the project

Using new technologies or new technology upgrades to reduce cost and duration of a project

Share–This is a strategy for transferring ownership to a third party so that it shares some of the benefit if the opportunity occurs, especially if that third party has expertise to best be able to capture the opportunity for the benefit of the project. Examples of this strategy are:

Payment of a risk premium to the party taking on the opportunity

Forming risk-sharing partnerships or joint ventures

Enhance–This is a strategy for increasing the probability and/or impact of an opportunity. Early action taken to enhance the probability of an occurrence of an opportunity may be more effective than trying to improve the benefit of an opportunity after it has occurred. Examples of this strategy are:

Adding more resources to an activity to finish early

Taking advantage of a sale of needed resources that occurs before they are actually used on a project

Accept–just like its counterpart for negative risks, this is where no proactive action is taken, but simply acknowledging the existence of an opportunity. Examples of this strategy are:

Establishing a contingency reserve to take advantage of the opportunity if it occurs (active strategy)

Putting the risk on a “watch list” and reviewing it periodically to ensure that it does not change significantly in terms of probability or impact (passive strategy).

11.5.2.6 Contingent Response Strategies

Certain risk responses are implemented only if certain events occur. A risk response can be implemented in this case if there is sufficient warning that the risk may be triggered. Risk responses so identified are called contingency plans, and include the triggering events that set the plans in effect. Examples of such contingent risk responses

Dealing with missing intermediate milestones

Gaining higher priority with a seller

11.5.2.7 Strategies for Overall Project Risk

As you may recall from previous posts, Qualitative Risk Analysis focuses on individual project risks, but in projects of sufficient size and/or complexity, Quantitative Risk Analysis may calculate the overall project risk taken by summing the product of probability times potential impact for all of the individual project risks.

Risk responses should be planned for individual project risks (see paragraphs 11.5.2.5 Strategies for Threats and 11.5.2.6 Strategies for Opportunities), but this paragraph deals with risk responses to the overall project risk.

Avoid–if the overall project risk is significantly negative or outside the agreed-upon risk thresholds for the project, an avoid strategy may be adopted. If it is not possible to bring the project back within the thresholds, then the project may be cancelled. This is the obviously the most extreme degree of risk avoidance. Example of this strategy:

Removal of high-risk elements of scope from the project

Exploit/share–if the overall project risk is significantly positive and outside the agreed-upon risk thresholds for the project, then an exploit strategy may be adopted (this is obviously the mirror opposite of the “avoid” strategy listed above). Example of this strategy:

Addition of high-benefit elements of scope to the project (to add value or benefits to stakeholders).

Modification of risk thresholds to the project may be modified with the agreement of key stakeholders in order to embrace the opportunity

Transfer/share–if the overall project risk is high but the organization is unable to address it effectively by itself, a third party may be involved to manage the risk on behalf of the organization. Where overall project risk is negative, a transfer strategy is required; where overall project risk is positive, a shared ownership strategy is required. Examples of this strategy include:

Setting up a collaborative business structure in which the buyer and the seller share the overall project risk

Launching a joint venture or special-purpose company

Subcontracting key elements of the project

Mitigate/enhance–if the overall project risk needs to be changed in order to achieve the project’s objectives. Mitigation strategy is used if the overall project risk is negative; enhancement strategy is used if the overall project risk is positive. Examples of this strategy include:

Replanning the project

Changing the scope and boundaries of the project

Modifying project priority

Changing resource allocations

Adjusting delivery times

Accept–where no proactive risk response strategy is possible to address overall project risk, the organization may choose to continue with the project as currently defined. Examples of this strategy include:

Establishing an overall contingency reserve for the project to be used if the project exceeds its risk thresholds (active strategy)

Review of the level of overall project risk to ensure that it does not change significantly (passive strategy)

11.5.2.8 Data Analysis

Alternatives analysis–if there is more than one risk response strategy identified to deal with individual project risks, alternatives analysis can help choose the most appropriate option.

Cost-benefit analysis–if the impact of an individual project risk can be quantified in monetary terms using Earned Monetary Value (equal to the estimated probability of the risk occurring times the dollar amount of the potential impact on the objectives if the risk occurs), then the cost-effectiveness of alternative risk response strategies can be determined using cost-benefit analysis. The effectiveness of the risk response strategy can be measured by the ratio of the change in impact level measured by EMV divided by the cost of the implementation of the risk response strategy. For example, if the implementation of doing a prototype of a design reduces the risk of failure from 25% to 5%, the cost in the potential impact (the change of 20% in the probability of the risk of failure times the cost of such a failure) divided by the cost of doing the prototype would be a concrete example of such a calculation. The higher the ratio, the more effective the risk response would be.

This concludes this section on risk response strategies. It is the most complicated of the planning processes for risk management, but it is the heart of what risk management is about: doing what you can to reduce risk during the project. The next two risk management processes implement these risk response strategies that were developed during the planning phase of the project and then monitor & control them throughout the cost of the project.

But before we go on to those processes, let’s discuss the outputs of this process 11.5 Risk Responses.

This is the final planning process for risk management, and it is ultimately the most important because you plan on doing risk responses to mitigate individual project risks and thus ultimately reduce the overall project risk.

The tools and techniques, like those in the previous process 11.4 Quantitative Risk Analysis, are so numerous and complex that I am breaking up the post into two parts: this post will cover the “generic” tools and techniques that are used in many planning processes, not just this one: expert judgment, data gathering, interpersonal and team skills, and decision making. The next post will cover those tools and techniques which are specific to this process.

11.5.2 Plan Risk Responses: Tools and Techniques

11.5.2.1 Expert Judgment

Like all planning processes, you should consider expertise from individuals or groups with expertise in the process you are planning to do. In this case, that would be those who have expertise in the following:

Threat and opportunity response strategies

Contingent response strategies

Overall project risk response strategies

These strategies are all tools and techniques that will be discussed in the following post.

11.5.2.2 Data-gathering

Interviews can be used to develop responses to individual project risks. The interviews should be with team members who have expertise in developing risk responses or stakeholders who have knowledge about specific individual project risks, particularly risks which have been encountered before on previous, similar projects.

11.5.2.3 Interpersonal and Team Skills

The data-gathering technique listed above is for interviewing individuals regarding risks. You can develop risk responses in a group by using facilitation methods, and it is these facilitation skills which are techniques which can help risk owners understand the risk, and identify and compare alternative risk response strategies.

11.5.2.9 Decision Making

In a group setting such as the facilitation mentioned above, it is important to use decision-making techniques to prioritize and finally decide upon which of the alternative risk response strategies that are developed in the facilitation.

The other tools and techniques are all specific to this process and will be discussed in tomorrow’s post.

“God grant me the serenity to accept the things I cannot change; courage to change the things I can; and wisdom to know the difference.”–the Serenity Prayer

In planning risk responses, you are enacting the spirit of the serenity prayer in doing what you can to change what you can, which is usually the probability or impact of a risk occurring. Since you may not eliminate entirely the probability of its occurring, you need to accept it in the sense of preparing it for it so the impact isn’t so great once it occurs. If there are risks that are small it may be okay to accept them in the sense of being willing to have a temporary workaround rather than preparing for a risk response ahead of time. The wisdom to know the difference comes from the results of the previous two processes where you analyze the risks to see which ones matter the most to the outcomes of the project.

The inputs to this process are the following:

11.5.1 Plan Risk Responses: Outputs

11.5.1.1 Project Management Plan

The project management plan contains the component management plans from the various knowledge areas and the baselines for the main three constraints of scope, schedule and cost.

Resource management–once the risk responses in this process are agreed upon, how will resources, both physical and human resources, to allocated to implement them?

Risk management plan–the roles and responsibilities for risk management, as well as the thresholds for risk management, are set out in the risk management plan. The thresholds are important for the “escalate” response to a given risk, as we will see when we discuss the tools and techniques of this process.

Cost baseline–the cost of risk responses will come from the “contingency fund”, and this needs to be allocated from the budget

11.5.1.2 Project Documents

Lessons learned register–lessons learned about effective risk responses used in earlier phases of the project are reviewed to determine if similar responses might be useful during the remainder of the project.

Project schedule–once the risk responses in this process are agreed upon, how will they be scheduled alongside other project activities? Will risk response activities get added to the WBS but in a different color to show that they are only done if the risk is triggered?

Project team assignments–who are the people that are assigned as risk owners who will carry out the risk responses?

Resource calendars–what resources (both physical and human) can potentially be available to be allocated to risk responses that have been agreed upon?

Risk register–for the individual project risks that have identified:

which risks require risk responses (those that don’t are put on the so-called “watch list”)

priority level for each risk to help guide the selection of risk responses

The next post will cover the tools and techniques of this process. Since there are many, I will break them up into the generic tools and techniques used in many planning processes (expert judgment, data gathering, interpersonal and team skills, and decision-making), and those that are specific to this particular process (strategies for threats, strategies for opportunities, contingent response strategies, strategies for overall project risk, and data analysis of risk response strategies).

Here are the outputs to the process 11.4 Perform Quantitative Risk Analysis: hey are all project documents which give quantitative results regarding the overall project risk exposure, as well as a probabilistic analysis of the project. In addition, there is a prioritized list of individual project risks, the start of a trend analysis in quantitative risk which will be updated throughout the project, and a set of recommended risk responses which sets you up for the next process 11.5 Plan Risk Responses.

Although the outputs focus on the overall project risks, various individual risks are highlighted that pose the greatest threat or opportunity to achieving the key objectives.

11.4.3 Perform Quantitative Risk Analysis: Outputs

Assessment of overall project risk exposure

Chances of project success, measured by the probability that the project will achieve its key objectives (deadline or other interim milestones, required cost target, etc.)

Degree of variability remaining within the project, indicated by the range of possible project outcomes (related to the largest individual risks that are indicated by the sensitivity analysis tool/technique).

Detailed probabilistic analysis of the project

Amount of contingency reserve needed to provide a specified level of confidence

Identification of individual project risks or other sources of uncertainty that have the greatest effect on the project critical path.

Major drivers of overall project risk.

Prioritized list of individual project risks–using sensitivity analysis, you identify those project risks that pose the greatest opportunity to the project.

Trends in quantitative risk analysis results–you take this same quantitative risk analysis output and update it during the project if there are any changes either in probability or impact of the largest individual project risks. In this way, you can chart the trends in quantitative risk analysis results. For example, if a major individual risk is not triggered during the project, then this has an effect of lowering the overall project risk because that individual risk was a big contributor to the total risk. Or if the probability of a risk increases, this may have an effect of increasing the overall project risk. The trends may show where it is important to spend the effort in developing risk responses.

Recommended risk responses–based on the results of the quantitative risk analysis, the risk report may present suggested responses to the level of overall individual risk exposure or key individual project risks, thus giving valuable input to the next process

The next post cover will the inputs for process 11.5 Plan Risk Responses, which come from not only the 4 other planning processes for risk management, but from documents related to other project management knowledge areas.

Now is the post where we discuss the data analysis techniques of quantitative risk analysis.

11.4.2 Perform Quantitative Risk Analysis: Tools and Techniques

11.4.2.5 Data Analysis

Simulation–in the qualitative data analysis, you assigned a probability and an impact to each individual project risk. With simulation, it’s as if you roll the dice on each risk to see whether in a particular scenario the risk would occur. If it does occur, you count that impact towards the total. If it does not occur, then you don’t count it. You sum up the impacts that get added to the total by all the triggered risks for that scenario. Then you have the computer software do the calculation over and over again, and you get as a result a probability curve for how much the total impact will be. Then you choose a confidence interval, so that you can say as a conclusion that “within 90% confidence level, the potential impact of the project risks will be a total of X dollars.” For an example of such a probability curve associated with the simulation, see Figure 11-13 on p. 433 of the 6th Edition of the PMBOK® guide. Note that because such a simulation requires sometimes thousands of calculations, this is not something you will be required to do for the exam, but you will be required to know what this data analysis does and basically how it works.

Sensitivity analysis–out of all the individual project risks, there will be some that have the most important potential impact on project outcomes. A typical way of representing these potential impacts is the “tornado diagram”, so called because the wedge shapes that represent the largest potential impact are put on top, and the smaller risks with progressively smaller impact are put underneath so that the diagram is vaguely funnel shaped. An example of such a tornado diagram is in Figure 11-14 on p. 434 of the 6th Edition of the PMBOK® guide.

Decision tree analysis–the concept behind decision tree analysis is actually pretty simple. Say there is a scenario in which there are two possible decisions, decision A and decision B. For each decision, there are two possible outcomes, outcome A and outcome B. You calculate how much money it will cost to adopt decision A, and calculate the Expected Monetary Value (EMV) of scenario A by taking the impact of outcome A times the probability of it occurring plus the impact of outcome B times the probability of it occurring. The total EMV of scenario B is then calculated and compared to the EMV of scenario A. Which has the lower EMV, decision A or decision B? That is the decision that you should choose. Look at the example of Figure 11-16 of a Decision Tree problem on p. 435 of the 6th Edition of the PMBOK® guide.

Influence diagrams–you take a particular situation within a project, most likely the ones you get from the sensitivity analysis described above that show the situations that have the greatest potential impact on the project. What are the factors that influence these individual project risks? You then do an analysis of the probability distributions effecting these influences, so you can model what the combined total of these influences will be on the probability and impact of the individual project risk you are looking into.

Although all of these techniques are quantitative, they all ultimately stem from the same concepts of probability and impact that you looked at in the previous process Perform Qualitative Risk Analysis. The only difference is that a) the impact has to have a specific dollar amount rather than a qualitative description, and b) the analysis of all the individual project risks is summed up to show a total potential impact on the overall project objectives, usually involving the three basic constraints of schedule (will the project be done within the deadline), cost (will the project be done within the budget), and scope (will all the requirements of the project be met).

In yesterday’s post, I discussed the “generic” tools and techniques associated with this process 11.3 Perform Quantitative Risk Analysis, that is, those that are also used in conjunction with a number of other planning processes: expert judgment, data gathering, and interpersonal and team skills.

Today let’s talk abut the remaining tools and techniques which are specific to this process.

11.4.2 Perform Quantitative Risk Analysis: Tools and Techniques

11.4.2.4 Representations of Uncertainty

When you are dealing with uncertainty in regards to estimates for duration, cost and resources, the model of how to deal with this is a probability distribution. Let’s take two examples that should be familiar if you know about the three-point estimates used in estimating duration and/or cost estimates.

Take an example of estimating how long it takes for you to get to work. If you are asked by your boss to give him or her an estimate of how long it takes you to get to work, you may give that person a single figure, a one-point estimate, say 30 minutes. That’s the estimate you use if everything is going well with regards to traffic–no accidents, no road construction, no weather hazards, etc.

Now let’s say that your boss says you have to be at a start-up meeting at a certain time, and that your success on the job is critically depending on being there on time. Will you leave your 30 minutes ahead of that meeting time? If you are me, and you are being risk adverse, you will want to leave a little earlier. How much earlier?

Here’s where the three-point estimate comes in. The 30-minute estimate is actually just the most likely (M) estimate. A pessimistic estimate (P) is based on what happens if a negative risk occurs, such as one of the things I mentioned above such as a traffic accident that slows traffic down. These things happen infrequently, but if they do occur, it could mean a delay of at least 30 minutes, meaning a total of a 60-minute commute. An optimistic estimate (O) is based on what happens if a positive risk occurs also known as an opportunity. There may be less traffic than normal on a given day, perhaps because it is a federal holiday which most people get off but you don’t. The only positive aspect of being one of the few who have to work on that day is that traffic is similar to weekend traffic, and you may find yourself zipping to work in only 20 minutes.

How do calculate the three-point estimate based on the most likely, pessimistic and optimistic estimates? Well, here’s where the probability distribution comes in.

If you have a triangular distribution, you count the pessimistic, optimistic and most likely EQUALLY. You take their average the normal way with three items that are of equal weight, namely (P + O + M)/3 = (60 + 20 + 30)/3 = 35 minutes. But if you are using a beta or weighted average distribution, this gives 4 times as much weight to the most likely estimate. Why? Well, that’s why it’s called the “most likely”, because it is most likely to happen as compared to the scenarios behind the pessimistic and optimistic estimate. In this case the weighted average is then (P + O + 4M)/6. Why do you divide by 6 instead of 3? Because it’s like there are six different terms, with four of them being the same one, the most likely estimate. In this case, then, the weighted average becomes [60 + 20 + 4(30)]/6 = 33.3 minutes. So you would give yourself an extra 3.3 minutes head start to get out the door rather than an extra 5 minutes in the case of the triangular or regular average.

Now there are other probability distribution such as the “normal” distribution or “bell curve” distribution that represent the normally occurring distribution of probabilities in naturally occurring phenomena like height in populations, etc. Other types of probability distributions are listed on p. 432 of the 6th Edition PMBOK® Guide.

Another way for uncertainty to be represented in the case of individual project risks is something called expected monetary value or EMV. Let’s say there is a 10% risk of something happening, but the impact if it does happen is that it will cost the project $10,000. How much money should you put aside for a risk response? With EMV you simply take the probability of 10% and multiply it times the potential impact of $10,000, and you get $1,000 as the money that should be put aside. This risk response is an example of a contingency reserve, or money that is put aside in case an individual project risk occurs that has been predicted beforehand in the risk register. If you take the various probabilistic branches for all the individual project risks, you get something close to the simulation described in the next tool and technique called “data analysis.”

This is a very complex process and there are two types of tools and techniques used with it: what I term the “generic” tools and techniques which are used with many planning processes, not just this one. And then there are the data analysis techniques (simulation, sensitivity analysis, decision tree analysis, influence diagrams) that are used specifically with this particular process.

I am going to split up the tools and techniques and describe the generic ones in this post, and save the ones that are specific to this process for the next post.

11.4.2 Perform Quantitative Risk Analysis: Tools and Techniques

11.4.2.1 Expert Judgment

Expertise should be considered form those people who have specialized knowledge regarding the quantitative analysis of risks. In particular, those who know about:

Translating the information on individual project risks in terms of probability and impact into numeric inputs for the quantitative risk analysis model using a tool called Earned Monetary Value.

Selecting the most appropriate representation of uncertainty to model particular risks. You are familiar with the triangular and beta distributions from the concept of three-point estimates. There are other distributions that are possible and an expert will know what is the most appropriate for the project at hand and know how to work with them.

Which of the modeling techniques are most suitable for use on the project (simulation, sensitivity analysis, decision tree analysis, and/or influence diagrams).

Interpreting the outputs of quantitative risk analysis and preparing them for inclusion in the risk register and risk report.

11.4.2.2 Data Gathering

Interviews are the main form of technique used to gather data from the experts mentioned above.

11.4.2.3 Interpersonal and Team Skills

Although individual interviews with experts are helpful, with a complex topic like risk analysis it is often extremely beneficial to have a dedicated risk workshop, and this is where the skill of facilitation of such a workshop comes into play. A facilitator needs to help do the following:

Establish a clear understanding of the purpose of the workshop

Build consensus among participants

Ensure continued focus on the task, especially if someone talks about something which is not in the scope of the workshop

Use creative approaches to deal with interpersonal conflict or to uncover sources of bias.

The next post will cover the other two sets of tools and techniques: representations of uncertainty and data analysis.